]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Correctly sanitise DNS header bits in answer when recreating query for retry.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
aff33962 1/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
8a9be9e4 19static struct frec *lookup_frec(unsigned short id, void *hash);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 21 union mysockaddr *addr,
8a9be9e4
SK		 22 void *hash);
23static unsigned short get_id(void);
1a6bca81 24static void free_frec(struct frec *f);
9e4abcb5 25
00a5b5d4
SK		 26#ifdef HAVE_DNSSEC
27static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
97e618a0
SK		 29static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
00a5b5d4
SK		 32#endif
33
34
824af85b 35/* Send a UDP packet with its source address set as "source"
44a2a316 36 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 37int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
50303b19 39 unsigned int iface)
9e4abcb5 40{
44a2a316
SK		 41 struct msghdr msg;
42 struct iovec iov[1];
44a2a316
SK		 43 union {
44 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 45#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47#elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49#endif
50#ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52#endif
53 } control_u;
feba5c1d 54
44a2a316
SK		 55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
feba5c1d
SK		 58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
44a2a316
SK		 60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
feba5c1d 65
26128d27 66 if (!nowild)
44a2a316 67 {
26128d27 68 struct cmsghdr *cmptr;
feba5c1d
SK		 69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
5e9e0efb 75#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 81 cmptr->cmsg_level = IPPROTO_IP;
26128d27 82 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 83#elif defined(IP_SENDSRCADDR)
8ef5ada2 84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 88#endif
26128d27 89 }
26128d27 90 else
b8187c80 91#ifdef HAVE_IPV6
26128d27 92 {
8ef5ada2
SK		 93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 98 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 99 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 100 }
3d8df260 101#else
c72daea8 102 (void)iface; /* eliminate warning */
44a2a316 103#endif
26128d27 104 }
feba5c1d 105
ff841ebf
SK		 106 while (retry_send(sendmsg(fd, &msg, 0)));
107
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno != 0 && errno != EINVAL)
feba5c1d 110 {
29d28dda 111 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 112 return 0;
feba5c1d 113 }
29d28dda 114
29689cfa 115 return 1;
9e4abcb5 116}
44a2a316 117
28866e95
SK		 118static unsigned int search_servers(time_t now, struct all_addr **addrpp,
119 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 120
121{
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
125
126 unsigned int namelen = strlen(qdomain);
127 unsigned int matchlen = 0;
128 struct server *serv;
28866e95 129 unsigned int flags = 0;
feba5c1d 130
3be34541 131 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 132 /* domain matches take priority over NODOTS matches */
3d8df260 133 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 134 {
28866e95 135 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 136 *type = SERV_FOR_NODOTS;
feba5c1d 137 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 138 flags = F_NXDOMAIN;
139 else if (serv->flags & SERV_LITERAL_ADDRESS)
140 {
141 if (sflag & qtype)
142 {
143 flags = sflag;
144 if (serv->addr.sa.sa_family == AF_INET)
145 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 146#ifdef HAVE_IPV6
36717eee
SK		 147 else
148 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 149#endif
36717eee 150 }
824af85b 151 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 152 flags = F_NOERR;
153 }
feba5c1d
SK		 154 }
155 else if (serv->flags & SERV_HAS_DOMAIN)
156 {
157 unsigned int domainlen = strlen(serv->domain);
b8187c80 158 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 159 if (namelen >= domainlen &&
b8187c80 160 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 161 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 162 {
8ef5ada2
SK		 163 if (serv->flags & SERV_NO_REBIND)
164 *norebind = 1;
28866e95 165 else
feba5c1d 166 {
28866e95
SK		 167 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen != 0 && domainlen == matchlen)
36717eee 172 {
28866e95 173 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 174 {
28866e95
SK		 175 if (!(sflag & qtype) && flags == 0)
176 continue;
177 }
178 else
179 {
180 if (flags & (F_IPV4 | F_IPV6))
181 continue;
182 }
183 }
184
185 if (domainlen >= matchlen)
186 {
187 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
188 *domain = serv->domain;
189 matchlen = domainlen;
190 if (serv->flags & SERV_NO_ADDR)
191 flags = F_NXDOMAIN;
192 else if (serv->flags & SERV_LITERAL_ADDRESS)
193 {
194 if (sflag & qtype)
195 {
196 flags = sflag;
197 if (serv->addr.sa.sa_family == AF_INET)
198 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 199#ifdef HAVE_IPV6
28866e95
SK		 200 else
201 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 202#endif
28866e95
SK		 203 }
204 else if (!flags || (flags & F_NXDOMAIN))
205 flags = F_NOERR;
8ef5ada2 206 }
28866e95
SK		 207 else
208 flags = 0;
209 }
210 }
8ef5ada2 211 }
feba5c1d 212 }
8ef5ada2 213
7de060b0 214 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 215 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 216 /* don't forward A or AAAA queries for simple names, except the empty name */
217 flags = F_NOERR;
8ef5ada2 218
5aabfc78 219 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 220 flags = F_NOERR;
feba5c1d 221
824af85b
SK		 222 if (flags)
223 {
224 int logflags = 0;
225
226 if (flags == F_NXDOMAIN || flags == F_NOERR)
227 logflags = F_NEG | qtype;
228
1a6bca81 229 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 230 }
8ef5ada2
SK		 231 else if ((*type) & SERV_USE_RESOLV)
232 {
233 *type = 0; /* use normal servers for this domain */
234 *domain = NULL;
235 }
feba5c1d
SK		 236 return flags;
237}
44a2a316 238
824af85b
SK		 239static int forward_query(int udpfd, union mysockaddr *udpaddr,
240 struct all_addr *dst_addr, unsigned int dst_iface,
83349b8a 241 struct dns_header *header, size_t plen, time_t now,
613ad15d 242 struct frec *forward, int ad_reqd, int do_bit)
9e4abcb5 243{
9e4abcb5 244 char *domain = NULL;
8ef5ada2 245 int type = 0, norebind = 0;
9e4abcb5 246 struct all_addr *addrp = NULL;
28866e95 247 unsigned int flags = 0;
de37951c 248 struct server *start = NULL;
8a9be9e4
SK		 249#ifdef HAVE_DNSSEC
250 void *hash = hash_questions(header, plen, daemon->namebuff);
251#else
252 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
253 void *hash = &crc;
254#endif
255 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
a77cec8d 256 unsigned char *pheader;
8a9be9e4 257
00a5b5d4
SK		 258 (void)do_bit;
259
3d8df260
SK		 260 /* may be no servers available. */
261 if (!daemon->servers)
9e4abcb5 262 forward = NULL;
8a9be9e4 263 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
9e4abcb5 264 {
a77cec8d
SK		 265 /* If we didn't get an answer advertising a maximal packet in EDNS,
266 fall back to 1280, which should work everywhere on IPv6.
267 If that generates an answer, it will become the new default
268 for this server */
269 forward->flags |= FREC_TEST_PKTSZ;
270
e0c0ad3b 271#ifdef HAVE_DNSSEC
dac74312 272 /* If we've already got an answer to this query, but we're awaiting keys for validation,
e0c0ad3b
SK		 273 there's no point retrying the query, retry the key query instead...... */
274 if (forward->blocking_query)
275 {
276 int fd;
a77cec8d
SK		 277
278 forward->flags &= ~FREC_TEST_PKTSZ;
279
e0c0ad3b
SK		 280 while (forward->blocking_query)
281 forward = forward->blocking_query;
a77cec8d
SK		 282
283 forward->flags |= FREC_TEST_PKTSZ;
e0c0ad3b
SK		 284
285 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
286 plen = forward->stash_len;
287
a77cec8d
SK		 288 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
289 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
290
2b29191e 291 if (forward->sentto->addr.sa.sa_family == AF_INET)
25cf5e37 292 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
e0c0ad3b
SK		 293#ifdef HAVE_IPV6
294 else
25cf5e37 295 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
e0c0ad3b
SK		 296#endif
297
298 if (forward->sentto->sfd)
299 fd = forward->sentto->sfd->fd;
300 else
301 {
302#ifdef HAVE_IPV6
303 if (forward->sentto->addr.sa.sa_family == AF_INET6)
304 fd = forward->rfd6->fd;
305 else
306#endif
307 fd = forward->rfd4->fd;
308 }
309
ff841ebf
SK		 310 while (retry_send( sendto(fd, (char *)header, plen, 0,
311 &forward->sentto->addr.sa,
312 sa_len(&forward->sentto->addr))));
e0c0ad3b
SK		 313
314 return 1;
315 }
316#endif
317
de37951c 318 /* retry on existing query, send to all available servers */
9e4abcb5 319 domain = forward->sentto->domain;
824af85b 320 forward->sentto->failed_queries++;
28866e95 321 if (!option_bool(OPT_ORDER))
de37951c 322 {
0a852541 323 forward->forwardall = 1;
3be34541 324 daemon->last_server = NULL;
de37951c 325 }
9e4abcb5 326 type = forward->sentto->flags & SERV_TYPE;
de37951c 327 if (!(start = forward->sentto->next))
3be34541 328 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 329 header->id = htons(forward->new_id);
330 }
331 else
332 {
333 if (gotname)
8ef5ada2 334 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 335
3a237152 336 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 337 /* table full - server failure. */
338 flags = F_NEG;
9e4abcb5
SK		 339
340 if (forward)
341 {
0a852541
SK		 342 forward->source = *udpaddr;
343 forward->dest = *dst_addr;
344 forward->iface = dst_iface;
0a852541 345 forward->orig_id = ntohs(header->id);
8a9be9e4 346 forward->new_id = get_id();
832af0ba 347 forward->fd = udpfd;
8a9be9e4 348 memcpy(forward->hash, hash, HASH_SIZE);
0a852541 349 forward->forwardall = 0;
ed4c0767 350 forward->flags = 0;
28866e95
SK		 351 if (norebind)
352 forward->flags |= FREC_NOREBIND;
572b41eb 353 if (header->hb4 & HB4_CD)
28866e95 354 forward->flags |= FREC_CHECKING_DISABLED;
83349b8a
SK		 355 if (ad_reqd)
356 forward->flags |= FREC_AD_QUESTION;
7fa836e1
SK		 357#ifdef HAVE_DNSSEC
358 forward->work_counter = DNSSEC_WORK;
613ad15d
SK		 359 if (do_bit)
360 forward->flags |= FREC_DO_QUESTION;
7fa836e1 361#endif
613ad15d 362
28866e95
SK		 363 header->id = htons(forward->new_id);
364
8ef5ada2
SK		 365 /* In strict_order mode, always try servers in the order
366 specified in resolv.conf, if a domain is given
367 always try all the available servers,
9e4abcb5
SK		 368 otherwise, use the one last known to work. */
369
8ef5ada2
SK		 370 if (type == 0)
371 {
28866e95 372 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 373 start = daemon->servers;
374 else if (!(start = daemon->last_server) ||
375 daemon->forwardcount++ > FORWARD_TEST ||
376 difftime(now, daemon->forwardtime) > FORWARD_TIME)
377 {
378 start = daemon->servers;
379 forward->forwardall = 1;
380 daemon->forwardcount = 0;
381 daemon->forwardtime = now;
382 }
383 }
384 else
de37951c 385 {
3be34541 386 start = daemon->servers;
28866e95 387 if (!option_bool(OPT_ORDER))
8ef5ada2 388 forward->forwardall = 1;
de37951c 389 }
9e4abcb5
SK		 390 }
391 }
feba5c1d 392
9e4abcb5
SK		 393 /* check for send errors here (no route to host)
394 if we fail to send to all nameservers, send back an error
395 packet straight away (helps modem users when offline) */
396
397 if (!flags && forward)
398 {
de37951c
SK		 399 struct server *firstsentto = start;
400 int forwarded = 0;
28866e95 401
25cf5e37
SK		 402 /* If a query is retried, use the log_id for the retry when logging the answer. */
403 forward->log_id = daemon->log_id;
404
797a7afb 405 if (option_bool(OPT_ADD_MAC))
60b68069 406 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 407
ed4c0767
SK		 408 if (option_bool(OPT_CLIENT_SUBNET))
409 {
60b68069 410 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 411 if (new != plen)
412 {
413 plen = new;
414 forward->flags |= FREC_HAS_SUBNET;
415 }
416 }
417
3a237152
SK		 418#ifdef HAVE_DNSSEC
419 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 420 {
613ad15d
SK		 421 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
422
5b3bf921
SK		 423 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
424 this allows it to select auth servers when one is returning bad data. */
425 if (option_bool(OPT_DNSSEC_DEBUG))
426 header->hb4 |= HB4_CD;
613ad15d
SK		 427
428 if (new_plen != plen)
429 forward->flags |= FREC_ADDED_PHEADER;
430
431 plen = new_plen;
0fc2f313 432 }
3a237152 433#endif
a77cec8d 434
9e4abcb5
SK		 435 while (1)
436 {
9e4abcb5
SK		 437 /* only send to servers dealing with our domain.
438 domain may be NULL, in which case server->domain
439 must be NULL also. */
440
de37951c 441 if (type == (start->flags & SERV_TYPE) &&
fd9fa481 442 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
b5ea1cc2 443 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
9e4abcb5 444 {
1a6bca81
SK		 445 int fd;
446
447 /* find server socket to use, may need to get random one. */
448 if (start->sfd)
449 fd = start->sfd->fd;
450 else
451 {
452#ifdef HAVE_IPV6
453 if (start->addr.sa.sa_family == AF_INET6)
454 {
455 if (!forward->rfd6 &&
456 !(forward->rfd6 = allocate_rfd(AF_INET6)))
457 break;
3927da46 458 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 459 fd = forward->rfd6->fd;
460 }
461 else
462#endif
463 {
464 if (!forward->rfd4 &&
465 !(forward->rfd4 = allocate_rfd(AF_INET)))
466 break;
3927da46 467 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 468 fd = forward->rfd4->fd;
469 }
7de060b0
SK		 470
471#ifdef HAVE_CONNTRACK
472 /* Copy connection mark of incoming query to outgoing connection. */
473 if (option_bool(OPT_CONNTRACK))
474 {
475 unsigned int mark;
797a7afb 476 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 477 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
478 }
479#endif
1a6bca81 480 }
a77cec8d
SK		 481
482 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
483 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
1a6bca81 484
ff841ebf
SK		 485 if (retry_send(sendto(fd, (char *)header, plen, 0,
486 &start->addr.sa,
487 sa_len(&start->addr))))
488 continue;
489
490 if (errno == 0)
9e4abcb5 491 {
cdeda28f
SK		 492 /* Keep info in case we want to re-send this packet */
493 daemon->srv_save = start;
494 daemon->packet_len = plen;
495
de37951c 496 if (!gotname)
3be34541 497 strcpy(daemon->namebuff, "query");
de37951c 498 if (start->addr.sa.sa_family == AF_INET)
3be34541 499 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 500 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 501#ifdef HAVE_IPV6
502 else
3be34541 503 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 504 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 505#endif
824af85b 506 start->queries++;
de37951c
SK		 507 forwarded = 1;
508 forward->sentto = start;
0a852541 509 if (!forward->forwardall)
de37951c 510 break;
0a852541 511 forward->forwardall++;
9e4abcb5
SK		 512 }
513 }
514
de37951c 515 if (!(start = start->next))
3be34541 516 start = daemon->servers;
9e4abcb5 517
de37951c 518 if (start == firstsentto)
9e4abcb5
SK		 519 break;
520 }
521
de37951c 522 if (forwarded)
824af85b 523 return 1;
de37951c 524
9e4abcb5
SK		 525 /* could not send on, prepare to return */
526 header->id = htons(forward->orig_id);
1a6bca81 527 free_frec(forward); /* cancel */
9e4abcb5
SK		 528 }
529
530 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 531 if (udpfd != -1)
532 {
cdeda28f 533 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 534 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 535 }
536
824af85b 537 return 0;
9e4abcb5
SK		 538}
539
ed4c0767 540static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
fe3992f9
SK		 541 int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
542 int check_subnet, union mysockaddr *query_source)
feba5c1d 543{
36717eee 544 unsigned char *pheader, *sizep;
13d86c73 545 char **sets = 0;
832af0ba 546 int munged = 0, is_sign;
cdeda28f
SK		 547 size_t plen;
548
83349b8a 549 (void)ad_reqd;
982faf40
SK		 550 (void)do_bit;
551 (void)bogusanswer;
83349b8a 552
13d86c73 553#ifdef HAVE_IPSET
82a14af5 554 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
13d86c73 555 {
82a14af5
SK		 556 /* Similar algorithm to search_servers. */
557 struct ipsets *ipset_pos;
558 unsigned int namelen = strlen(daemon->namebuff);
559 unsigned int matchlen = 0;
560 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
6c0cb858 561 {
82a14af5
SK		 562 unsigned int domainlen = strlen(ipset_pos->domain);
563 char *matchstart = daemon->namebuff + namelen - domainlen;
564 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
565 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
566 domainlen >= matchlen)
567 {
568 matchlen = domainlen;
569 sets = ipset_pos->sets;
570 }
6c0cb858 571 }
13d86c73
JD		 572 }
573#endif
574
feba5c1d 575 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 576 than we allow, trim it so that we don't get overlarge
577 requests for the client. We can't do this for signed packets. */
feba5c1d 578
ed4c0767 579 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 580 {
83349b8a
SK		 581 unsigned short udpsz;
582 unsigned char *psave = sizep;
583
584 GETSHORT(udpsz, sizep);
585
586 if (!is_sign && udpsz > daemon->edns_pktsz)
587 PUTSHORT(daemon->edns_pktsz, psave);
feba5c1d 588
ed4c0767
SK		 589 if (check_subnet && !check_source(header, plen, pheader, query_source))
590 {
591 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
592 return 0;
593 }
613ad15d
SK		 594
595 if (added_pheader)
596 {
597 pheader = 0;
598 header->arcount = htons(0);
599 }
feba5c1d 600 }
83349b8a 601
28866e95 602 /* RFC 4035 sect 4.6 para 3 */
237724c0 603 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 604 header->hb4 &= ~HB4_AD;
3a237152 605
572b41eb 606 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
8938ae05 607 return resize_packet(header, n, pheader, plen);
0a852541 608
feba5c1d 609 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 610 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 611 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 612 {
3d8df260 613 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 614 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 615 if (!option_bool(OPT_LOG))
0a852541
SK		 616 server->flags |= SERV_WARNED_RECURSIVE;
617 }
e292e93d 618
572b41eb 619 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 620 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 621 {
fd9fa481 622 munged = 1;
572b41eb
SK		 623 SET_RCODE(header, NXDOMAIN);
624 header->hb3 &= ~HB3_AA;
6938f347 625 cache_secure = 0;
36717eee 626 }
fd9fa481 627 else
36717eee 628 {
6938f347
SK		 629 int doctored = 0;
630
572b41eb 631 if (RCODE(header) == NXDOMAIN &&
fd9fa481 632 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 633 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 634 {
635 /* if we forwarded a query for a locally known name (because it was for
636 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
637 since we know that the domain exists, even if upstream doesn't */
fd9fa481 638 munged = 1;
572b41eb
SK		 639 header->hb3 |= HB3_AA;
640 SET_RCODE(header, NOERROR);
6938f347 641 cache_secure = 0;
feba5c1d 642 }
832af0ba 643
6938f347 644 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
824af85b 645 {
8ef5ada2 646 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b 647 munged = 1;
6938f347 648 cache_secure = 0;
824af85b 649 }
6938f347
SK		 650
651 if (doctored)
652 cache_secure = 0;
feba5c1d 653 }
fd9fa481 654
a25720a3 655#ifdef HAVE_DNSSEC
fe3992f9 656 if (bogusanswer && !(header->hb4 & HB4_CD))
a25720a3 657 {
7d23a66f 658 if (!option_bool(OPT_DNSSEC_DEBUG))
a25720a3
SK		 659 {
660 /* Bogus reply, turn into SERVFAIL */
661 SET_RCODE(header, SERVFAIL);
662 munged = 1;
663 }
664 }
6938f347
SK		 665
666 if (option_bool(OPT_DNSSEC_VALID))
667 header->hb4 &= ~HB4_AD;
668
83349b8a 669 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
6938f347 670 header->hb4 |= HB4_AD;
613ad15d
SK		 671
672 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
673 if (!do_bit)
674 n = filter_rrsigs(header, n);
a25720a3
SK		 675#endif
676
fd9fa481
SK		 677 /* do this after extract_addresses. Ensure NODATA reply and remove
678 nameserver info. */
679
680 if (munged)
681 {
682 header->ancount = htons(0);
683 header->nscount = htons(0);
684 header->arcount = htons(0);
150162bc 685 header->hb3 &= ~HB3_TC;
fd9fa481
SK		 686 }
687
36717eee
SK		 688 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
689 sections of the packet. Find the new length here and put back pseudoheader
690 if it was removed. */
691 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 692}
693
3be34541 694/* sets new last_server */
1a6bca81 695void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 696{
697 /* packet from peer server, extract data for cache, and send to
698 original requester */
572b41eb 699 struct dns_header *header;
de37951c 700 union mysockaddr serveraddr;
832af0ba 701 struct frec *forward;
de37951c 702 socklen_t addrlen = sizeof(serveraddr);
60b68069 703 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 704 size_t nn;
1a6bca81 705 struct server *server;
8a9be9e4
SK		 706 void *hash;
707#ifndef HAVE_DNSSEC
708 unsigned int crc;
709#endif
710
cdeda28f
SK		 711 /* packet buffer overwritten */
712 daemon->srv_save = NULL;
832af0ba 713
de37951c 714 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 715 serveraddr.sa.sa_family = family;
de37951c
SK		 716#ifdef HAVE_IPV6
717 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 718 serveraddr.in6.sin6_flowinfo = 0;
de37951c 719#endif
9e4abcb5 720
490f9075
SK		 721 header = (struct dns_header *)daemon->packet;
722
723 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
724 return;
725
1a6bca81
SK		 726 /* spoof check: answer must come from known server, */
727 for (server = daemon->servers; server; server = server->next)
728 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
729 sockaddr_isequal(&server->addr, &serveraddr))
730 break;
490f9075
SK		 731
732 if (!server)
733 return;
734
8a9be9e4
SK		 735#ifdef HAVE_DNSSEC
736 hash = hash_questions(header, n, daemon->namebuff);
737#else
738 hash = &crc;
739 crc = questions_crc(header, n, daemon->namebuff);
740#endif
fd9fa481 741
490f9075 742 if (!(forward = lookup_frec(ntohs(header->id), hash)))
1a6bca81 743 return;
490f9075 744
25cf5e37
SK		 745 /* log_query gets called indirectly all over the place, so
746 pass these in global variables - sorry. */
747 daemon->log_display_id = forward->log_id;
748 daemon->log_source_addr = &forward->source;
749
32fc6dbe
GH		 750 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
751 check_for_ignored_address(header, n, daemon->ignore_addr))
752 return;
753
2ae195f5 754 if (RCODE(header) == REFUSED &&
28866e95 755 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 756 forward->forwardall == 0)
757 /* for broken servers, attempt to send to another one. */
9e4abcb5 758 {
1a6bca81
SK		 759 unsigned char *pheader;
760 size_t plen;
761 int is_sign;
832af0ba 762
1a6bca81
SK		 763 /* recreate query from reply */
764 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
765 if (!is_sign)
832af0ba 766 {
1a6bca81
SK		 767 header->ancount = htons(0);
768 header->nscount = htons(0);
769 header->arcount = htons(0);
770 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 771 {
bd7bfa21 772 header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC);
773 header->hb4 &= ~(HB4_RA | HB4_RCODE);
613ad15d 774 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
1a6bca81 775 return;
832af0ba 776 }
832af0ba 777 }
1a6bca81 778 }
3a237152
SK		 779
780 server = forward->sentto;
1a6bca81
SK		 781 if ((forward->sentto->flags & SERV_TYPE) == 0)
782 {
51967f98 783 if (RCODE(header) == REFUSED)
1a6bca81
SK		 784 server = NULL;
785 else
b8187c80 786 {
1a6bca81
SK		 787 struct server *last_server;
788
789 /* find good server by address if possible, otherwise assume the last one we sent to */
790 for (last_server = daemon->servers; last_server; last_server = last_server->next)
791 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
792 sockaddr_isequal(&last_server->addr, &serveraddr))
793 {
794 server = last_server;
795 break;
796 }
797 }
28866e95 798 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 799 daemon->last_server = server;
800 }
a77cec8d
SK		 801
802 /* We tried resending to this server with a smaller maximum size and got an answer.
86fa1046
SK		 803 Make that permanent. To avoid reduxing the packet size for an single dropped packet,
804 only do this when we get a truncated answer, or one larger than the safe size. */
805 if (server && (forward->flags & FREC_TEST_PKTSZ) &&
806 ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
a77cec8d
SK		 807 server->edns_pktsz = SAFE_PKTSZ;
808
1a6bca81
SK		 809 /* If the answer is an error, keep the forward record in place in case
810 we get a good reply from another server. Kill it when we've
811 had replies from all to avoid filling the forwarding table when
812 everything is broken */
51967f98 813 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
1a6bca81 814 {
fe3992f9 815 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
3a237152
SK		 816
817 if (option_bool(OPT_NO_REBIND))
818 check_rebind = !(forward->flags & FREC_NOREBIND);
819
820 /* Don't cache replies where DNSSEC validation was turned off, either
821 the upstream server told us so, or the original query specified it. */
822 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
823 no_cache_dnssec = 1;
824
825#ifdef HAVE_DNSSEC
51967f98 826 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
3a237152 827 {
9d633048 828 int status;
0fc2f313
SK		 829
830 /* We've had a reply already, which we're validating. Ignore this duplicate */
e0c0ad3b 831 if (forward->blocking_query)
0fc2f313 832 return;
9d633048 833
871417d4
SK		 834 if (header->hb3 & HB3_TC)
835 {
836 /* Truncated answer can't be validated.
5d3b87a4
SK		 837 If this is an answer to a DNSSEC-generated query, we still
838 need to get the client to retry over TCP, so return
839 an answer with the TC bit set, even if the actual answer fits.
840 */
841 status = STAT_TRUNCATED;
871417d4
SK		 842 }
843 else if (forward->flags & FREC_DNSKEY_QUERY)
8d718cbb 844 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6 845 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 846 {
847 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 848 /* Provably no DS, everything below is insecure, even if signatures are offered */
849 if (status == STAT_NO_DS)
850 /* We only cache sigs when we've validated a reply.
851 Avoid caching a reply with sigs if there's a vaildated break in the
852 DS chain, so we don't return replies from cache missing sigs. */
853 status = STAT_INSECURE_DS;
854 else if (status == STAT_NO_NS)
97e618a0 855 status = STAT_BOGUS;
00a5b5d4
SK		 856 }
857 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 858 {
859 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
860 if (status != STAT_NEED_KEY)
861 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
862 }
9d633048 863 else
00a5b5d4 864 {
97e618a0 865 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 866 if (status == STAT_NO_SIG)
867 {
868 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 869 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 870 else
871 status = STAT_INSECURE;
872 }
873 }
3a237152
SK		 874 /* Can't validate, as we're missing key data. Put this
875 answer aside, whilst we get that. */
00a5b5d4 876 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
3a237152 877 {
7fa836e1
SK		 878 struct frec *new, *orig;
879
880 /* Free any saved query */
881 if (forward->stash)
882 blockdata_free(forward->stash);
883
884 /* Now save reply pending receipt of key data */
885 if (!(forward->stash = blockdata_alloc((char *)header, n)))
886 return;
887 forward->stash_len = n;
0fc2f313 888
7fa836e1
SK		 889 anotherkey:
890 /* Find the original query that started it all.... */
891 for (orig = forward; orig->dependent; orig = orig->dependent);
892
893 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
894 status = STAT_INSECURE;
895 else
3a237152 896 {
7fa836e1 897 int fd;
0fc2f313
SK		 898 struct frec *next = new->next;
899 *new = *forward; /* copy everything, then overwrite */
900 new->next = next;
0fc2f313 901 new->blocking_query = NULL;
8a8bbad0 902 new->sentto = server;
f1668d27 903 new->rfd4 = NULL;
97e618a0 904 new->orig_domain = NULL;
f1668d27
SK		 905#ifdef HAVE_IPV6
906 new->rfd6 = NULL;
907#endif
00a5b5d4 908 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
9d633048 909
7fa836e1
SK		 910 new->dependent = forward; /* to find query awaiting new one. */
911 forward->blocking_query = new; /* for garbage cleaning */
912 /* validate routines leave name of required record in daemon->keyname */
913 if (status == STAT_NEED_KEY)
914 {
915 new->flags |= FREC_DNSKEY_QUERY;
916 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
a77cec8d 917 daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
7fa836e1
SK		 918 }
919 else
920 {
00a5b5d4
SK		 921 if (status == STAT_NEED_DS_NEG)
922 new->flags |= FREC_CHECK_NOSIGN;
923 else
924 new->flags |= FREC_DS_QUERY;
7fa836e1 925 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
a77cec8d 926 daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
7fa836e1
SK		 927 }
928 if ((hash = hash_questions(header, nn, daemon->namebuff)))
929 memcpy(new->hash, hash, HASH_SIZE);
930 new->new_id = get_id();
931 header->id = htons(new->new_id);
932 /* Save query for retransmission */
97e618a0
SK		 933 if (!(new->stash = blockdata_alloc((char *)header, nn)))
934 return;
935
7fa836e1
SK		 936 new->stash_len = nn;
937
938 /* Don't resend this. */
939 daemon->srv_save = NULL;
e0c0ad3b 940
7fa836e1
SK		 941 if (server->sfd)
942 fd = server->sfd->fd;
e0c0ad3b 943 else
3a237152 944 {
7fa836e1
SK		 945 fd = -1;
946#ifdef HAVE_IPV6
947 if (server->addr.sa.sa_family == AF_INET6)
9d633048 948 {
7fa836e1
SK		 949 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
950 fd = new->rfd6->fd;
9d633048 951 }
3a237152 952 else
3a237152 953#endif
f1668d27 954 {
7fa836e1
SK		 955 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
956 fd = new->rfd4->fd;
f1668d27 957 }
3a237152 958 }
7fa836e1
SK		 959
960 if (fd != -1)
961 {
ff841ebf
SK		 962 while (retry_send(sendto(fd, (char *)header, nn, 0,
963 &server->addr.sa,
964 sa_len(&server->addr))));
7fa836e1
SK		 965 server->queries++;
966 }
967
968 return;
3a237152 969 }
3a237152
SK		 970 }
971
972 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
973 Now wind back down, pulling back answers which wouldn't previously validate
7fa836e1
SK		 974 and validate them with the new data. Note that if an answer needs multiple
975 keys to validate, we may find another key is needed, in which case we set off
976 down another branch of the tree. Once we get to the original answer
977 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
0744ca66 978 while (forward->dependent)
3a237152 979 {
0744ca66
SK		 980 struct frec *prev = forward->dependent;
981 free_frec(forward);
982 forward = prev;
983 forward->blocking_query = NULL; /* already gone */
984 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
985 n = forward->stash_len;
986
987 if (status == STAT_SECURE)
3a237152 988 {
0744ca66
SK		 989 if (forward->flags & FREC_DNSKEY_QUERY)
990 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
991 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 992 {
993 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 994 /* Provably no DS, everything below is insecure, even if signatures are offered */
995 if (status == STAT_NO_DS)
996 /* We only cache sigs when we've validated a reply.
997 Avoid caching a reply with sigs if there's a vaildated break in the
998 DS chain, so we don't return replies from cache missing sigs. */
999 status = STAT_INSECURE_DS;
1000 else if (status == STAT_NO_NS)
1001 status = STAT_BOGUS;
00a5b5d4
SK		 1002 }
1003 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 1004 {
1005 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1006 if (status != STAT_NEED_KEY)
1007 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
1008 }
0744ca66 1009 else
00a5b5d4 1010 {
97e618a0 1011 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 1012 if (status == STAT_NO_SIG)
1013 {
1014 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 1015 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 1016 else
1017 status = STAT_INSECURE;
1018 }
1019 }
1020
1021 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
7fa836e1 1022 goto anotherkey;
3a237152
SK		 1023 }
1024 }
5d3b87a4 1025
fe3992f9
SK		 1026 no_cache_dnssec = 0;
1027
1028 if (status == STAT_INSECURE_DS)
1029 {
1030 /* We only cache sigs when we've validated a reply.
1031 Avoid caching a reply with sigs if there's a vaildated break in the
1032 DS chain, so we don't return replies from cache missing sigs. */
1033 status = STAT_INSECURE;
1034 no_cache_dnssec = 1;
1035 }
1036
5d3b87a4 1037 if (status == STAT_TRUNCATED)
0744ca66 1038 header->hb3 |= HB3_TC;
5d3b87a4 1039 else
7fa836e1 1040 {
554b580e 1041 char *result, *domain = "result";
7fa836e1
SK		 1042
1043 if (forward->work_counter == 0)
150162bc
SK		 1044 {
1045 result = "ABANDONED";
1046 status = STAT_BOGUS;
1047 }
7fa836e1
SK		 1048 else
1049 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1050
554b580e
SK		 1051 if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
1052 domain = daemon->namebuff;
1053
1054 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
7fa836e1 1055 }
5d3b87a4 1056
3a237152
SK		 1057 if (status == STAT_SECURE)
1058 cache_secure = 1;
3a237152 1059 else if (status == STAT_BOGUS)
fe3992f9
SK		 1060 {
1061 no_cache_dnssec = 1;
1062 bogusanswer = 1;
1063 }
3a237152 1064 }
83349b8a
SK		 1065#endif
1066
1067 /* restore CD bit to the value in the query */
1068 if (forward->flags & FREC_CHECKING_DISABLED)
1069 header->hb4 |= HB4_CD;
1070 else
1071 header->hb4 &= ~HB4_CD;
8ef5ada2 1072
fe3992f9 1073 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
613ad15d
SK		 1074 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1075 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 1076 {
1077 header->id = htons(forward->orig_id);
572b41eb 1078 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 1079 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 1080 &forward->source, &forward->dest, forward->iface);
b8187c80 1081 }
1a6bca81 1082 free_frec(forward); /* cancel */
9e4abcb5 1083 }
9e4abcb5 1084}
44a2a316 1085
1a6bca81 1086
5aabfc78 1087void receive_query(struct listener *listen, time_t now)
44a2a316 1088{
572b41eb 1089 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 1090 union mysockaddr source_addr;
c1bb8504 1091 unsigned short type;
44a2a316 1092 struct all_addr dst_addr;
f6b7dc47 1093 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 1094 size_t m;
1095 ssize_t n;
3b195961
VG		 1096 int if_index = 0, auth_dns = 0;
1097#ifdef HAVE_AUTH
1098 int local_auth = 0;
1099#endif
44a2a316
SK		 1100 struct iovec iov[1];
1101 struct msghdr msg;
1102 struct cmsghdr *cmptr;
44a2a316
SK		 1103 union {
1104 struct cmsghdr align; /* this ensures alignment */
1105#ifdef HAVE_IPV6
1106 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1107#endif
5e9e0efb 1108#if defined(HAVE_LINUX_NETWORK)
44a2a316 1109 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 1110#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1111 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1112 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 1113#elif defined(IP_RECVDSTADDR)
1114 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1115 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1116#endif
1117 } control_u;
2329bef5
SK		 1118#ifdef HAVE_IPV6
1119 /* Can always get recvd interface for IPv6 */
1120 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1121#else
1122 int check_dst = !option_bool(OPT_NOWILD);
1123#endif
1124
cdeda28f
SK		 1125 /* packet buffer overwritten */
1126 daemon->srv_save = NULL;
1127
98906275 1128 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
4f7b304f
SK		 1129 netmask.s_addr = 0;
1130
7e5664bd 1131 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 1132 {
4f7b304f
SK		 1133 auth_dns = listen->iface->dns_auth;
1134
1135 if (listen->family == AF_INET)
1136 {
98906275 1137 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
4f7b304f
SK		 1138 netmask = listen->iface->netmask;
1139 }
3d8df260 1140 }
4f7b304f 1141
3be34541
SK		 1142 iov[0].iov_base = daemon->packet;
1143 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 1144
1145 msg.msg_control = control_u.control;
1146 msg.msg_controllen = sizeof(control_u);
1147 msg.msg_flags = 0;
1148 msg.msg_name = &source_addr;
1149 msg.msg_namelen = sizeof(source_addr);
1150 msg.msg_iov = iov;
1151 msg.msg_iovlen = 1;
1152
de37951c 1153 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 1154 return;
44a2a316 1155
572b41eb 1156 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 1157 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 1158 (header->hb3 & HB3_QR))
26128d27
SK		 1159 return;
1160
44a2a316 1161 source_addr.sa.sa_family = listen->family;
2a7a2b84
SK		 1162
1163 if (listen->family == AF_INET)
1164 {
1165 /* Source-port == 0 is an error, we can't send back to that.
1166 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1167 if (source_addr.in.sin_port == 0)
1168 return;
1169 }
44a2a316 1170#ifdef HAVE_IPV6
2a7a2b84
SK		 1171 else
1172 {
1173 /* Source-port == 0 is an error, we can't send back to that. */
1174 if (source_addr.in6.sin6_port == 0)
1175 return;
1176 source_addr.in6.sin6_flowinfo = 0;
1177 }
44a2a316 1178#endif
2a7a2b84 1179
c8a80487
SK		 1180 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1181 if (option_bool(OPT_LOCAL_SERVICE))
1182 {
1183 struct addrlist *addr;
1184#ifdef HAVE_IPV6
1185 if (listen->family == AF_INET6)
1186 {
1187 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1188 if ((addr->flags & ADDRLIST_IPV6) &&
1189 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1190 break;
1191 }
1192 else
1193#endif
1194 {
1195 struct in_addr netmask;
1196 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1197 {
15b1b7e9 1198 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1199 if (!(addr->flags & ADDRLIST_IPV6) &&
1200 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1201 break;
1202 }
1203 }
1204 if (!addr)
1205 {
0c8584ea
SK		 1206 static int warned = 0;
1207 if (!warned)
1208 {
1209 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1210 warned = 1;
1211 }
c8a80487
SK		 1212 return;
1213 }
1214 }
1215
2329bef5 1216 if (check_dst)
26128d27
SK		 1217 {
1218 struct ifreq ifr;
1219
1220 if (msg.msg_controllen < sizeof(struct cmsghdr))
1221 return;
44a2a316 1222
5e9e0efb 1223#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 1224 if (listen->family == AF_INET)
1225 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1226 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 1227 {
8ef5ada2
SK		 1228 union {
1229 unsigned char *c;
1230 struct in_pktinfo *p;
1231 } p;
1232 p.c = CMSG_DATA(cmptr);
1233 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1234 if_index = p.p->ipi_ifindex;
26128d27
SK		 1235 }
1236#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1237 if (listen->family == AF_INET)
44a2a316 1238 {
26128d27 1239 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 1240 {
1241 union {
1242 unsigned char *c;
1243 unsigned int *i;
1244 struct in_addr *a;
1245#ifndef HAVE_SOLARIS_NETWORK
1246 struct sockaddr_dl *s;
1247#endif
1248 } p;
1249 p.c = CMSG_DATA(cmptr);
1250 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1251 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1252 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 1253#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 1254 if_index = *(p.i);
824af85b 1255#else
8ef5ada2 1256 if_index = p.s->sdl_index;
824af85b 1257#endif
8ef5ada2 1258 }
44a2a316 1259 }
44a2a316 1260#endif
26128d27 1261
44a2a316 1262#ifdef HAVE_IPV6
26128d27
SK		 1263 if (listen->family == AF_INET6)
1264 {
1265 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1266 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1267 {
8ef5ada2
SK		 1268 union {
1269 unsigned char *c;
1270 struct in6_pktinfo *p;
1271 } p;
1272 p.c = CMSG_DATA(cmptr);
1273
1274 dst_addr.addr.addr6 = p.p->ipi6_addr;
1275 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1276 }
1277 }
44a2a316 1278#endif
26128d27
SK		 1279
1280 /* enforce available interface configuration */
1281
e25db1f2 1282 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1283 return;
832af0ba 1284
e25db1f2
SK		 1285 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1286 {
1287 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1288 enumerate_interfaces(0);
3f2873d4
SK		 1289 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1290 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1291 return;
1292 }
1293
552af8b9
SK		 1294 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1295 {
1296 struct irec *iface;
1297
1298 /* get the netmask of the interface whch has the address we were sent to.
1299 This is no neccessarily the interface we arrived on. */
1300
1301 for (iface = daemon->interfaces; iface; iface = iface->next)
1302 if (iface->addr.sa.sa_family == AF_INET &&
1303 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1304 break;
1305
1306 /* interface may be new */
e25db1f2 1307 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1308 enumerate_interfaces(0);
552af8b9
SK		 1309
1310 for (iface = daemon->interfaces; iface; iface = iface->next)
1311 if (iface->addr.sa.sa_family == AF_INET &&
1312 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1313 break;
1314
1315 /* If we failed, abandon localisation */
1316 if (iface)
1317 netmask = iface->netmask;
1318 else
1319 dst_addr_4.s_addr = 0;
1320 }
44a2a316 1321 }
25cf5e37
SK		 1322
1323 /* log_query gets called indirectly all over the place, so
1324 pass these in global variables - sorry. */
1325 daemon->log_display_id = ++daemon->log_id;
1326 daemon->log_source_addr = &source_addr;
44a2a316 1327
cdeda28f 1328 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1329 {
b485ed97
SK		 1330#ifdef HAVE_AUTH
1331 struct auth_zone *zone;
1332#endif
610e782a
SK		 1333 char *types = querystr(auth_dns ? "auth" : "query", type);
1334
44a2a316 1335 if (listen->family == AF_INET)
3be34541 1336 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1337 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1338#ifdef HAVE_IPV6
1339 else
3be34541 1340 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1341 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1342#endif
44a2a316 1343
b485ed97
SK		 1344#ifdef HAVE_AUTH
1345 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1346 if (!auth_dns)
1347 for (zone = daemon->auth_zones; zone; zone = zone->next)
1348 if (in_zone(zone, daemon->namebuff, NULL))
1349 {
1350 auth_dns = 1;
1351 local_auth = 1;
1352 break;
1353 }
b485ed97 1354#endif
b5ea1cc2
SK		 1355
1356#ifdef HAVE_LOOP
1357 /* Check for forwarding loop */
1358 if (detect_loop(daemon->namebuff, type))
1359 return;
1360#endif
b485ed97
SK		 1361 }
1362
4820dce9 1363#ifdef HAVE_AUTH
4f7b304f 1364 if (auth_dns)
824af85b 1365 {
60b68069 1366 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1367 if (m >= 1)
b485ed97
SK		 1368 {
1369 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1370 (char *)header, m, &source_addr, &dst_addr, if_index);
1371 daemon->auth_answer++;
1372 }
824af85b 1373 }
44a2a316 1374 else
4820dce9 1375#endif
4f7b304f 1376 {
613ad15d 1377 int ad_reqd, do_bit;
60b68069 1378 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
613ad15d 1379 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
4f7b304f
SK		 1380
1381 if (m >= 1)
1382 {
1383 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1384 (char *)header, m, &source_addr, &dst_addr, if_index);
1385 daemon->local_answer++;
1386 }
1387 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
613ad15d 1388 header, (size_t)n, now, NULL, ad_reqd, do_bit))
4f7b304f
SK		 1389 daemon->queries_forwarded++;
1390 else
1391 daemon->local_answer++;
1392 }
44a2a316
SK		 1393}
1394
7d7b7b31 1395#ifdef HAVE_DNSSEC
00a5b5d4
SK		 1396
1397/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1398 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1399 STAT_NEED_DS_NEG and keyname if we need to do the query. */
97e618a0
SK		 1400static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1401 char *name, char *keyname)
00a5b5d4 1402{
00a5b5d4
SK		 1403 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1404
1405 if (status != STAT_INSECURE)
1406 return status;
1407
97e618a0
SK		 1408 /* Store the domain we're trying to check. */
1409 forward->name_start = strlen(name);
1410 forward->name_len = forward->name_start + 1;
1411 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1412 return STAT_BOGUS;
1413
1414 return do_check_sign(forward, 0, now, name, keyname);
1415}
1416
1417/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1418static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1419{
1420 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1421 while (forward->dependent)
1422 forward = forward->dependent;
1423
1424 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1425
00a5b5d4
SK		 1426 while (1)
1427 {
97e618a0
SK		 1428 char *p;
1429
1430 if (status == 0)
00a5b5d4 1431 {
97e618a0
SK		 1432 struct crec *crecp;
1433
1434 /* Haven't received answer, see if in cache */
1435 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1436 {
1437 /* put name of DS record we're missing into keyname */
1438 strcpy(keyname, &name[forward->name_start]);
1439 /* and wait for reply to arrive */
1440 return STAT_NEED_DS_NEG;
1441 }
1442
1443 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1444 if (!(crecp->flags & F_NEG))
1445 status = STAT_SECURE;
1446 else if (crecp->flags & F_DNSSECOK)
1447 status = STAT_NO_DS;
1448 else
1449 status = STAT_NO_NS;
00a5b5d4 1450 }
97e618a0
SK		 1451
1452 /* Have entered non-signed part of DNS tree. */
1453 if (status == STAT_NO_DS)
1454 return STAT_INSECURE;
00a5b5d4 1455
97e618a0 1456 if (status == STAT_BOGUS)
4e1fe444
SK		 1457 return STAT_BOGUS;
1458
97e618a0
SK		 1459 /* There's a proven DS record, or we're within a zone, where there doesn't need
1460 to be a DS record. Add a name and try again.
1461 If we've already tried the whole name, then fail */
00a5b5d4 1462
97e618a0
SK		 1463 if (forward->name_start == 0)
1464 return STAT_BOGUS;
4872aa74 1465
97e618a0
SK		 1466 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1467
1468 if (p != name)
1469 p++;
1470
1471 forward->name_start = p - name;
1472 status = 0; /* force to cache when we iterate. */
00a5b5d4 1473 }
00a5b5d4
SK		 1474}
1475
fe3992f9 1476/* Move down from the root, until we find a signed non-existance of a DS, in which case
00a5b5d4
SK		 1477 an unsigned answer is OK, or we find a signed DS, in which case there should be
1478 a signature, and the answer is BOGUS */
1479static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1480 char *keyname, struct server *server, int *keycount)
1481{
1482 size_t m;
1483 unsigned char *packet, *payload;
1484 u16 *length;
97e618a0
SK		 1485 int status, name_len;
1486 struct blockdata *block;
1487
1488 char *name_start;
00a5b5d4
SK		 1489
1490 /* Get first insecure entry in CNAME chain */
1491 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1492 if (status == STAT_BOGUS)
1493 return STAT_BOGUS;
1494
1495 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1496 return STAT_BOGUS;
1497
1498 payload = &packet[2];
1499 header = (struct dns_header *)payload;
1500 length = (u16 *)packet;
97e618a0
SK		 1501
1502 /* Stash the name away, since the buffer will be trashed when we recurse */
1503 name_len = strlen(name) + 1;
1504 name_start = name + name_len - 1;
00a5b5d4 1505
97e618a0
SK		 1506 if (!(block = blockdata_alloc(name, name_len)))
1507 {
1508 free(packet);
1509 return STAT_BOGUS;
1510 }
1511
00a5b5d4
SK		 1512 while (1)
1513 {
00a5b5d4 1514 unsigned char c1, c2;
97e618a0
SK		 1515 struct crec *crecp;
1516
00a5b5d4 1517 if (--(*keycount) == 0)
fc2833f1
TH		 1518 {
1519 free(packet);
97e618a0 1520 blockdata_free(block);
fc2833f1
TH		 1521 return STAT_BOGUS;
1522 }
00a5b5d4 1523
424c4a8a 1524 while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
97e618a0
SK		 1525 {
1526 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1527 {
1528 /* Found a secure denial of DS - delegation is indeed insecure */
1529 free(packet);
1530 blockdata_free(block);
1531 return STAT_INSECURE;
1532 }
1533
1534 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1535 Add another label and continue. */
1536
1537 if (name_start == name)
1538 {
1539 free(packet);
1540 blockdata_free(block);
1541 return STAT_BOGUS; /* run out of labels */
1542 }
1543
1544 name_start -= 2;
1545 while (*name_start != '.' && name_start != name)
1546 name_start--;
1547 if (name_start != name)
1548 name_start++;
4e1fe444 1549 }
97e618a0
SK		 1550
1551 /* Can't find it in the cache, have to send a query */
4e1fe444 1552
a77cec8d 1553 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
00a5b5d4 1554
97e618a0 1555 *length = htons(m);
b37f8b99 1556
97e618a0
SK		 1557 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1558 read_write(server->tcpfd, &c1, 1, 1) &&
1559 read_write(server->tcpfd, &c2, 1, 1) &&
1560 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1561 {
1562 m = (c1 << 8) | c2;
00a5b5d4 1563
97e618a0
SK		 1564 /* Note this trashes all three name workspaces */
1565 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1566
1567 if (status == STAT_NO_DS)
00a5b5d4 1568 {
97e618a0
SK		 1569 /* Found a secure denial of DS - delegation is indeed insecure */
1570 free(packet);
1571 blockdata_free(block);
1572 return STAT_INSECURE;
1573 }
1574
1575 if (status == STAT_BOGUS)
1576 {
1577 free(packet);
1578 blockdata_free(block);
1579 return STAT_BOGUS;
1580 }
1581
1582 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1583 Add another label and continue. */
1584
1585 /* Get name we're checking back. */
1586 blockdata_retrieve(block, name_len, name);
1587
1588 if (name_start == name)
1589 {
1590 free(packet);
1591 blockdata_free(block);
1592 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1593 }
97e618a0
SK		 1594
1595 name_start -= 2;
1596 while (*name_start != '.' && name_start != name)
1597 name_start--;
1598 if (name_start != name)
1599 name_start++;
1600 }
1601 else
1602 {
1603 /* IO failure */
1604 free(packet);
1605 blockdata_free(block);
1606 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1607 }
00a5b5d4
SK		 1608 }
1609}
1610
7fa836e1
SK		 1611static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1612 int class, char *name, char *keyname, struct server *server, int *keycount)
7d7b7b31
SK		 1613{
1614 /* Recurse up the key heirarchy */
7d7b7b31 1615 int new_status;
7d7b7b31 1616
7fa836e1
SK		 1617 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1618 if (--(*keycount) == 0)
1619 return STAT_INSECURE;
7d7b7b31 1620
7fa836e1
SK		 1621 if (status == STAT_NEED_KEY)
1622 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1623 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1624 {
1625 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1626 if (status == STAT_NEED_DS)
1627 {
1628 if (new_status == STAT_NO_DS)
1629 new_status = STAT_INSECURE_DS;
1630 else if (new_status == STAT_NO_NS)
1631 new_status = STAT_BOGUS;
1632 }
00a5b5d4
SK		 1633 }
1634 else if (status == STAT_CHASE_CNAME)
1635 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1636 else
1637 {
97e618a0 1638 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1639
1640 if (new_status == STAT_NO_SIG)
1641 {
1642 if (option_bool(OPT_DNSSEC_NO_SIGN))
1643 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1644 else
1645 new_status = STAT_INSECURE;
1646 }
1647 }
1648
7fa836e1
SK		 1649 /* Can't validate because we need a key/DS whose name now in keyname.
1650 Make query for same, and recurse to validate */
1651 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7d7b7b31 1652 {
7fa836e1
SK		 1653 size_t m;
1654 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1655 unsigned char *payload = &packet[2];
1656 struct dns_header *new_header = (struct dns_header *)payload;
1657 u16 *length = (u16 *)packet;
1658 unsigned char c1, c2;
1659
1660 if (!packet)
1661 return STAT_INSECURE;
1662
1663 another_tcp_key:
1664 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
a77cec8d 1665 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
7d7b7b31 1666
7fa836e1 1667 *length = htons(m);
7d7b7b31 1668
7fa836e1
SK		 1669 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1670 !read_write(server->tcpfd, &c1, 1, 1) ||
1671 !read_write(server->tcpfd, &c2, 1, 1) ||
1672 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1673 new_status = STAT_INSECURE;
1674 else
7d7b7b31 1675 {
7fa836e1
SK		 1676 m = (c1 << 8) | c2;
1677
00a5b5d4
SK		 1678 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1679
1680 if (new_status == STAT_SECURE)
7d7b7b31 1681 {
7fa836e1
SK		 1682 /* Reached a validated record, now try again at this level.
1683 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1684 If so, go round again. */
7d7b7b31 1685
7fa836e1
SK		 1686 if (status == STAT_NEED_KEY)
1687 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1688 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1689 {
1690 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1691 if (status == STAT_NEED_DS)
1692 {
1693 if (new_status == STAT_NO_DS)
1694 new_status = STAT_INSECURE_DS;
1695 else if (new_status == STAT_NO_NS)
1696 new_status = STAT_BOGUS; /* Validated no DS */
1697 }
00a5b5d4
SK		 1698 }
1699 else if (status == STAT_CHASE_CNAME)
1700 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1701 else
1702 {
97e618a0 1703 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1704
1705 if (new_status == STAT_NO_SIG)
1706 {
1707 if (option_bool(OPT_DNSSEC_NO_SIGN))
1708 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1709 else
1710 new_status = STAT_INSECURE;
1711 }
1712 }
1713
7d7b7b31 1714 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7fa836e1 1715 goto another_tcp_key;
7d7b7b31
SK		 1716 }
1717 }
fe3992f9 1718
7fa836e1
SK		 1719 free(packet);
1720 }
7d7b7b31
SK		 1721 return new_status;
1722}
1723#endif
1724
1725
feba5c1d
SK		 1726/* The daemon forks before calling this: it should deal with one connection,
1727 blocking as neccessary, and then return. Note, need to be a bit careful
1728 about resources for debug mode, when the fork is suppressed: that's
1729 done by the caller. */
5aabfc78 1730unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1731 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1732{
28866e95
SK		 1733 size_t size = 0;
1734 int norebind = 0;
3b195961 1735#ifdef HAVE_AUTH
19b16891 1736 int local_auth = 0;
3b195961 1737#endif
613ad15d 1738 int checking_disabled, ad_question, do_bit, added_pheader = 0;
fe3992f9 1739 int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
cdeda28f 1740 size_t m;
ee86ce68
SK		 1741 unsigned short qtype;
1742 unsigned int gotname;
feba5c1d 1743 unsigned char c1, c2;
4b5ea12e
SK		 1744 /* Max TCP packet + slop + size */
1745 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1746 unsigned char *payload = &packet[2];
1747 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1748 struct dns_header *header = (struct dns_header *)payload;
1749 u16 *length = (u16 *)packet;
3be34541 1750 struct server *last_server;
7de060b0
SK		 1751 struct in_addr dst_addr_4;
1752 union mysockaddr peer_addr;
1753 socklen_t peer_len = sizeof(union mysockaddr);
25cf5e37
SK		 1754 int query_count = 0;
1755
7de060b0
SK		 1756 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1757 return packet;
c8a80487
SK		 1758
1759 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1760 if (option_bool(OPT_LOCAL_SERVICE))
1761 {
1762 struct addrlist *addr;
1763#ifdef HAVE_IPV6
1764 if (peer_addr.sa.sa_family == AF_INET6)
1765 {
1766 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1767 if ((addr->flags & ADDRLIST_IPV6) &&
1768 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1769 break;
1770 }
1771 else
1772#endif
1773 {
1774 struct in_addr netmask;
1775 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1776 {
15b1b7e9 1777 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1778 if (!(addr->flags & ADDRLIST_IPV6) &&
1779 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1780 break;
1781 }
1782 }
1783 if (!addr)
1784 {
1785 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1786 return packet;
1787 }
1788 }
7de060b0 1789
feba5c1d
SK		 1790 while (1)
1791 {
25cf5e37
SK		 1792 if (query_count == TCP_MAX_QUERIES ||
1793 !packet ||
feba5c1d
SK		 1794 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1795 !(size = c1 << 8 | c2) ||
4b5ea12e 1796 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1797 return packet;
1798
572b41eb 1799 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1800 continue;
1801
25cf5e37
SK		 1802 query_count++;
1803
1804 /* log_query gets called indirectly all over the place, so
1805 pass these in global variables - sorry. */
1806 daemon->log_display_id = ++daemon->log_id;
1807 daemon->log_source_addr = &peer_addr;
1808
ed4c0767
SK		 1809 check_subnet = 0;
1810
28866e95 1811 /* save state of "cd" flag in query */
7d7b7b31
SK		 1812 if ((checking_disabled = header->hb4 & HB4_CD))
1813 no_cache_dnssec = 1;
28866e95 1814
3be34541 1815 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1816 {
b485ed97
SK		 1817#ifdef HAVE_AUTH
1818 struct auth_zone *zone;
1819#endif
610e782a 1820 char *types = querystr(auth_dns ? "auth" : "query", qtype);
7de060b0
SK		 1821
1822 if (peer_addr.sa.sa_family == AF_INET)
1823 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1824 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1825#ifdef HAVE_IPV6
7de060b0
SK		 1826 else
1827 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1828 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1829#endif
b485ed97
SK		 1830
1831#ifdef HAVE_AUTH
1832 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1833 if (!auth_dns)
1834 for (zone = daemon->auth_zones; zone; zone = zone->next)
1835 if (in_zone(zone, daemon->namebuff, NULL))
1836 {
1837 auth_dns = 1;
1838 local_auth = 1;
1839 break;
1840 }
b485ed97 1841#endif
feba5c1d
SK		 1842 }
1843
7de060b0
SK		 1844 if (local_addr->sa.sa_family == AF_INET)
1845 dst_addr_4 = local_addr->in.sin_addr;
1846 else
1847 dst_addr_4.s_addr = 0;
1848
4820dce9 1849#ifdef HAVE_AUTH
4f7b304f 1850 if (auth_dns)
19b16891 1851 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1852 else
4820dce9 1853#endif
feba5c1d 1854 {
4f7b304f
SK		 1855 /* m > 0 if answered from cache */
1856 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
613ad15d 1857 dst_addr_4, netmask, now, &ad_question, &do_bit);
feba5c1d 1858
4f7b304f
SK		 1859 /* Do this by steam now we're not in the select() loop */
1860 check_log_writer(NULL);
1861
1862 if (m == 0)
feba5c1d 1863 {
4f7b304f
SK		 1864 unsigned int flags = 0;
1865 struct all_addr *addrp = NULL;
1866 int type = 0;
1867 char *domain = NULL;
feba5c1d 1868
4f7b304f
SK		 1869 if (option_bool(OPT_ADD_MAC))
1870 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1871
1872 if (option_bool(OPT_CLIENT_SUBNET))
1873 {
1874 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1875 if (size != new)
1876 {
1877 size = new;
1878 check_subnet = 1;
1879 }
1880 }
1881
4f7b304f
SK		 1882 if (gotname)
1883 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1884
1885 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1886 last_server = daemon->servers;
1887 else
1888 last_server = daemon->last_server;
1889
1890 if (!flags && last_server)
1891 {
1892 struct server *firstsendto = NULL;
8a9be9e4 1893#ifdef HAVE_DNSSEC
703c7ff4 1894 unsigned char *newhash, hash[HASH_SIZE];
63758384 1895 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
8a9be9e4 1896 memcpy(hash, newhash, HASH_SIZE);
b37f8b99
TH		 1897 else
1898 memset(hash, 0, HASH_SIZE);
8a9be9e4 1899#else
4f7b304f 1900 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
8a9be9e4 1901#endif
4f7b304f
SK		 1902 /* Loop round available servers until we succeed in connecting to one.
1903 Note that this code subtley ensures that consecutive queries on this connection
1904 which can go to the same server, do so. */
1905 while (1)
feba5c1d 1906 {
4f7b304f
SK		 1907 if (!firstsendto)
1908 firstsendto = last_server;
1909 else
1910 {
1911 if (!(last_server = last_server->next))
1912 last_server = daemon->servers;
1913
1914 if (last_server == firstsendto)
1915 break;
1916 }
1917
1918 /* server for wrong domain */
1919 if (type != (last_server->flags & SERV_TYPE) ||
b5ea1cc2
SK		 1920 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1921 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
7de060b0
SK		 1922 continue;
1923
4f7b304f 1924 if (last_server->tcpfd == -1)
7de060b0 1925 {
4f7b304f
SK		 1926 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1927 continue;
1928
e9828b6f
KV		 1929#ifdef HAVE_CONNTRACK
1930 /* Copy connection mark of incoming query to outgoing connection. */
1931 if (option_bool(OPT_CONNTRACK))
1932 {
1933 unsigned int mark;
1934 struct all_addr local;
1935#ifdef HAVE_IPV6
1936 if (local_addr->sa.sa_family == AF_INET6)
1937 local.addr.addr6 = local_addr->in6.sin6_addr;
1938 else
1939#endif
1940 local.addr.addr4 = local_addr->in.sin_addr;
1941
1942 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1943 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1944 }
1945#endif
1946
4f7b304f
SK		 1947 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1948 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1949 {
1950 close(last_server->tcpfd);
1951 last_server->tcpfd = -1;
1952 continue;
1953 }
1954
7d7b7b31
SK		 1955#ifdef HAVE_DNSSEC
1956 if (option_bool(OPT_DNSSEC_VALID))
1957 {
613ad15d
SK		 1958 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1959
2ecd9bd5
SK		 1960 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1961 this allows it to select auth servers when one is returning bad data. */
1962 if (option_bool(OPT_DNSSEC_DEBUG))
1963 header->hb4 |= HB4_CD;
613ad15d
SK		 1964
1965 if (size != new_size)
1966 added_pheader = 1;
1967
1968 size = new_size;
7d7b7b31
SK		 1969 }
1970#endif
4f7b304f
SK		 1971 }
1972
4b5ea12e 1973 *length = htons(size);
1fc02680
SK		 1974
1975 /* get query name again for logging - may have been overwritten */
1976 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1977 strcpy(daemon->namebuff, "query");
4f7b304f 1978
4b5ea12e 1979 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1980 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1981 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1982 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1983 {
1984 close(last_server->tcpfd);
1985 last_server->tcpfd = -1;
1986 continue;
1987 }
1988
1989 m = (c1 << 8) | c2;
4f7b304f 1990
4f7b304f
SK		 1991 if (last_server->addr.sa.sa_family == AF_INET)
1992 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1993 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1994#ifdef HAVE_IPV6
4f7b304f
SK		 1995 else
1996 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1997 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1998#endif
7d7b7b31
SK		 1999
2000#ifdef HAVE_DNSSEC
2001 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
2002 {
7fa836e1
SK		 2003 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2004 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
554b580e 2005 char *result, *domain = "result";
7fa836e1 2006
fe3992f9
SK		 2007 if (status == STAT_INSECURE_DS)
2008 {
2009 /* We only cache sigs when we've validated a reply.
2010 Avoid caching a reply with sigs if there's a vaildated break in the
2011 DS chain, so we don't return replies from cache missing sigs. */
2012 status = STAT_INSECURE;
2013 no_cache_dnssec = 1;
2014 }
2015
7fa836e1 2016 if (keycount == 0)
150162bc
SK		 2017 {
2018 result = "ABANDONED";
2019 status = STAT_BOGUS;
2020 }
7fa836e1
SK		 2021 else
2022 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
e66b4dff
SK		 2023
2024 if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
2025 domain = daemon->namebuff;
554b580e
SK		 2026
2027 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
7d7b7b31 2028
7d7b7b31 2029 if (status == STAT_BOGUS)
fe3992f9
SK		 2030 {
2031 no_cache_dnssec = 1;
2032 bogusanswer = 1;
2033 }
2034
7d7b7b31
SK		 2035 if (status == STAT_SECURE)
2036 cache_secure = 1;
2037 }
2038#endif
2039
2040 /* restore CD bit to the value in the query */
2041 if (checking_disabled)
2042 header->hb4 |= HB4_CD;
2043 else
2044 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 2045
2046 /* There's no point in updating the cache, since this process will exit and
2047 lose the information after a few queries. We make this call for the alias and
2048 bogus-nxdomain side-effects. */
2049 /* If the crc of the question section doesn't match the crc we sent, then
2050 someone might be attempting to insert bogus values into the cache by
2051 sending replies containing questions and bogus answers. */
8a9be9e4
SK		 2052#ifdef HAVE_DNSSEC
2053 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
2054 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
703c7ff4
SK		 2055 {
2056 m = 0;
2057 break;
2058 }
8a9be9e4
SK		 2059#else
2060 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
703c7ff4
SK		 2061 {
2062 m = 0;
2063 break;
2064 }
8a9be9e4
SK		 2065#endif
2066
2067 m = process_reply(header, now, last_server, (unsigned int)m,
e66b4dff
SK		 2068 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
2069 ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
4f7b304f
SK		 2070
2071 break;
2072 }
feba5c1d 2073 }
4f7b304f
SK		 2074
2075 /* In case of local answer or no connections made. */
2076 if (m == 0)
2077 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 2078 }
feba5c1d 2079 }
4f7b304f 2080
5aabfc78 2081 check_log_writer(NULL);
feba5c1d 2082
4b5ea12e
SK		 2083 *length = htons(m);
2084
2085 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 2086 return packet;
2087 }
2088}
2089
1697269c 2090static struct frec *allocate_frec(time_t now)
9e4abcb5 2091{
1697269c
SK		 2092 struct frec *f;
2093
5aabfc78 2094 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 2095 {
1a6bca81 2096 f->next = daemon->frec_list;
1697269c 2097 f->time = now;
832af0ba 2098 f->sentto = NULL;
1a6bca81 2099 f->rfd4 = NULL;
28866e95 2100 f->flags = 0;
1a6bca81
SK		 2101#ifdef HAVE_IPV6
2102 f->rfd6 = NULL;
3a237152
SK		 2103#endif
2104#ifdef HAVE_DNSSEC
97bc798b 2105 f->dependent = NULL;
3a237152 2106 f->blocking_query = NULL;
4619d946 2107 f->stash = NULL;
97e618a0 2108 f->orig_domain = NULL;
1a6bca81
SK		 2109#endif
2110 daemon->frec_list = f;
1697269c 2111 }
9e4abcb5 2112
1697269c
SK		 2113 return f;
2114}
9e4abcb5 2115
b5ea1cc2 2116struct randfd *allocate_rfd(int family)
1a6bca81
SK		 2117{
2118 static int finger = 0;
2119 int i;
2120
2121 /* limit the number of sockets we have open to avoid starvation of
2122 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2123
2124 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 2125 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 2126 {
9009d746
SK		 2127 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2128 break;
2129
1a6bca81
SK		 2130 daemon->randomsocks[i].refcount = 1;
2131 daemon->randomsocks[i].family = family;
2132 return &daemon->randomsocks[i];
2133 }
2134
9009d746 2135 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 2136 for (i = 0; i < RANDOM_SOCKS; i++)
2137 {
2138 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 2139 if (daemon->randomsocks[j].refcount != 0 &&
2140 daemon->randomsocks[j].family == family &&
2141 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 2142 {
2143 finger = j;
2144 daemon->randomsocks[j].refcount++;
2145 return &daemon->randomsocks[j];
2146 }
2147 }
2148
2149 return NULL; /* doom */
2150}
b5ea1cc2
SK		 2151
2152void free_rfd(struct randfd *rfd)
2153{
2154 if (rfd && --(rfd->refcount) == 0)
2155 close(rfd->fd);
2156}
2157
1a6bca81
SK		 2158static void free_frec(struct frec *f)
2159{
b5ea1cc2 2160 free_rfd(f->rfd4);
1a6bca81
SK		 2161 f->rfd4 = NULL;
2162 f->sentto = NULL;
28866e95 2163 f->flags = 0;
1a6bca81
SK		 2164
2165#ifdef HAVE_IPV6
b5ea1cc2 2166 free_rfd(f->rfd6);
1a6bca81
SK		 2167 f->rfd6 = NULL;
2168#endif
3a237152
SK		 2169
2170#ifdef HAVE_DNSSEC
2171 if (f->stash)
0fc2f313
SK		 2172 {
2173 blockdata_free(f->stash);
2174 f->stash = NULL;
2175 }
3a237152 2176
97e618a0
SK		 2177 if (f->orig_domain)
2178 {
2179 blockdata_free(f->orig_domain);
2180 f->orig_domain = NULL;
2181 }
2182
3a237152
SK		 2183 /* Anything we're waiting on is pointless now, too */
2184 if (f->blocking_query)
2185 free_frec(f->blocking_query);
2186 f->blocking_query = NULL;
39048ad1 2187 f->dependent = NULL;
3a237152 2188#endif
1a6bca81
SK		 2189}
2190
1697269c
SK		 2191/* if wait==NULL return a free or older than TIMEOUT record.
2192 else return *wait zero if one available, or *wait is delay to
1a6bca81 2193 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 2194 limit of 4*TIMEOUT before we wipe things (for random sockets).
2195 If force is set, always return a result, even if we have
2196 to allocate above the limit. */
2197struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 2198{
1a6bca81 2199 struct frec *f, *oldest, *target;
1697269c
SK		 2200 int count;
2201
2202 if (wait)
2203 *wait = 0;
2204
1a6bca81 2205 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 2206 if (!f->sentto)
1a6bca81
SK		 2207 target = f;
2208 else
1697269c 2209 {
1a6bca81
SK		 2210 if (difftime(now, f->time) >= 4*TIMEOUT)
2211 {
2212 free_frec(f);
2213 target = f;
2214 }
2215
2216 if (!oldest || difftime(f->time, oldest->time) <= 0)
2217 oldest = f;
1697269c 2218 }
1a6bca81
SK		 2219
2220 if (target)
2221 {
2222 target->time = now;
2223 return target;
2224 }
9e4abcb5
SK		 2225
2226 /* can't find empty one, use oldest if there is one
2227 and it's older than timeout */
1697269c 2228 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 2229 {
1697269c
SK		 2230 /* keep stuff for twice timeout if we can by allocating a new
2231 record instead */
2232 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2233 count <= daemon->ftabsize &&
2234 (f = allocate_frec(now)))
2235 return f;
2236
2237 if (!wait)
2238 {
1a6bca81 2239 free_frec(oldest);
1697269c
SK		 2240 oldest->time = now;
2241 }
9e4abcb5
SK		 2242 return oldest;
2243 }
2244
1697269c 2245 /* none available, calculate time 'till oldest record expires */
3a237152 2246 if (!force && count > daemon->ftabsize)
1697269c 2247 {
0da5e897
MSB		 2248 static time_t last_log = 0;
2249
1697269c
SK		 2250 if (oldest && wait)
2251 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 2252
2253 if ((int)difftime(now, last_log) > 5)
2254 {
2255 last_log = now;
2256 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2257 }
2258
9e4abcb5
SK		 2259 return NULL;
2260 }
1697269c
SK		 2261
2262 if (!(f = allocate_frec(now)) && wait)
2263 /* wait one second on malloc failure */
2264 *wait = 1;
9e4abcb5 2265
9e4abcb5
SK		 2266 return f; /* OK if malloc fails and this is NULL */
2267}
2268
832af0ba 2269/* crc is all-ones if not known. */
8a9be9e4 2270static struct frec *lookup_frec(unsigned short id, void *hash)
9e4abcb5
SK		 2271{
2272 struct frec *f;
2273
1a6bca81 2274 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2275 if (f->sentto && f->new_id == id &&
8a9be9e4 2276 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
9e4abcb5
SK		 2277 return f;
2278
2279 return NULL;
2280}
2281
2282static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 2283 union mysockaddr *addr,
8a9be9e4 2284 void *hash)
9e4abcb5 2285{
feba5c1d
SK		 2286 struct frec *f;
2287
1a6bca81 2288 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2289 if (f->sentto &&
9e4abcb5 2290 f->orig_id == id &&
8a9be9e4 2291 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
9e4abcb5
SK		 2292 sockaddr_isequal(&f->source, addr))
2293 return f;
2294
2295 return NULL;
2296}
47a95169
SK		 2297
2298/* Send query packet again, if we can. */
2299void resend_query()
2300{
2301 if (daemon->srv_save)
2302 {
2303 int fd;
2304
2305 if (daemon->srv_save->sfd)
2306 fd = daemon->srv_save->sfd->fd;
2307 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2308 fd = daemon->rfd_save->fd;
2309 else
2310 return;
2311
ff841ebf
SK		 2312 while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2313 &daemon->srv_save->addr.sa,
2314 sa_len(&daemon->srv_save->addr))));
47a95169
SK		 2315 }
2316}
9e4abcb5 2317
849a8357 2318/* A server record is going away, remove references to it */
5aabfc78 2319void server_gone(struct server *server)
849a8357
SK		 2320{
2321 struct frec *f;
2322
1a6bca81 2323 for (f = daemon->frec_list; f; f = f->next)
832af0ba 2324 if (f->sentto && f->sentto == server)
1a6bca81 2325 free_frec(f);
849a8357
SK		 2326
2327 if (daemon->last_server == server)
2328 daemon->last_server = NULL;
2329
2330 if (daemon->srv_save == server)
2331 daemon->srv_save = NULL;
2332}
9e4abcb5 2333
316e2730 2334/* return unique random ids. */
8a9be9e4 2335static unsigned short get_id(void)
9e4abcb5
SK		 2336{
2337 unsigned short ret = 0;
832af0ba 2338
316e2730 2339 do
832af0ba 2340 ret = rand16();
8a9be9e4 2341 while (lookup_frec(ret, NULL));
832af0ba 2342
9e4abcb5
SK		 2343 return ret;
2344}
2345
2346
2347
2348
2349
Michael's tree of dnsmasq.